Add support for nss_wrapper to the Alpine based images

[mterron]

Support nss_wrapper to align with the Debian based images.

This makes running this images on the OpenShift/Kubernetes platform easier.

[tianon]

I'm honestly a bit on the fence with this one -- having to build nss_wrapper from source is why Alpine didn't include nss_wrapper in the original PR. 😞

[mterron]

Since you are building postgres from source and not using the Alpine native packages, I thought this might be really useful. Especially when it adds only a couple of kb to the image size and maybe 1 minute to the build process.

Given the hoops people have jumped through to get it going (see: https://jayunit100.blogspot.com/2017/10/get-that-damn-alpine-postgres-image.html) this seems like a very simple solution.
It'd be nice if the "official" postgres image just worked.

Cheers

[tianon]

Interesting -- is this verified to work? If so, it's probably worth commenting on https://bugs.alpinelinux.org/issues/6710 (since from what I can tell, this was attempted to be added to Alpine proper but there wasn't a good source for NSS information that it could query). It'd be awesome if we could get nss_wrapper into Alpine proper (instead of maintaining this additional unrelated building code ourselves)! 😅

[mterron]

@tianon it is verified to work on OpenShift online. It starts up and runs initdb just like the Debian based image.
I can try to get nss_wrapper into Alpine as a package too, compilation is trivial.

[tianon]

Getting an Alpine package of it accepted would definitely ease my concerns here -- as I noted, it's been an open issue at https://bugs.alpinelinux.org/issues/6710 for quite some time now and there were some fundamental issues discussed there that I think need to be addressed at that level (and I don't think it makes sense for us to maintain the code to build "nss_wrapper" at this level).

[mterron]

Getting an Alpine package of it accepted would definitely ease my concerns here -- as I noted, it's been an open issue at https://bugs.alpinelinux.org/issues/6710 for quite some time now and there were some fundamental issues discussed there that I think need to be addressed at that level (and I don't think it makes sense for us to maintain the code to build "nss_wrapper" at this level).

This fundamental issue you mention is for a generic use case. For the use case of this container image, nss_wrapper works exactly as designed and there's no need for any other supporting infrastructure.

Example:

~ $ id
uid=1001(test) gid=1001(test) groups=1001(test)
~ $ cat passwd
bob:x:1000:1000:Bob One:/home/test/bob:/bin/false
root:x:65534:65532:Root:/home/test/root:/bin/false
~ $ cat group
users:x:1000:
root:x:65532:
~ $ id bob
id: unknown user bob
~ $ LD_PRELOAD=/usr/lib/libnss_wrapper.so NSS_WRAPPER_PASSWD=./passwd NSS_WRAPPER_GROUP=./group id bob
uid=1000(bob) gid=1000(users) groups=1000(users)
~ $ id root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
~ $ LD_PRELOAD=/usr/lib/libnss_wrapper.so NSS_WRAPPER_PASSWD=./passwd NSS_WRAPPER_GROUP=./group id root
uid=65534(root) gid=65532(root) groups=65532(root)

[anthonator]

Apologies if this is an inappropriate place for this, but I'm curious what this is.

https://github.com/docker-library/postgres/blob/master/9.4/alpine/docker-entrypoint.sh#L67-L87

Did this package get support for libnss_wrapper at some point?

[yosifkit]

@anthonator Those lines exist because the entrypoint is the same in all images (which is why the usage of libnss is gated on its existence). It was added in #448. See also number 1 under "The three easiest ways to get around this" in the Arbitrary --user Notes section of the documentation on Docker Hub.

[anthonator]

Thank you for the explanation!

[tianon]

Closing in favor of https://gitlab.alpinelinux.org/alpine/aports/issues/6710 -- once that's resolved in a released version of Alpine, we should absolutely revisit this.